[FS-5839] Support multiple SSL/TLS protocols on the same profile automagically Created: 02/Oct/13 Updated: 24/Feb/14 Resolved: 06/Feb/14 Status: Project: Component/s: Affects Version/s: Fix Version/s: Security Level: Closed FreeSWITCH mod_sofia None Type: Reporter: Resolution: Labels: Remaining Estimate: Time Spent: Original Estimate: Environment: Improvement Kristian Kielhofner Fixed None Not Specified Issue Links: Related relates to FS-5719 TLS negotiation failing with Elliptic... CPU Architecture: Kernel: Userland: Compiler: FreeSWITCH GIT Revision: GIT Master Revision hash:: None public Priority: Assignee: Votes: Minor Travis Cross 0 Not Specified Not Specified All Closed x86 Linux GNU/Linux gcc All Yes Description Assuming underlying OpenSSL support, FreeSWITCH should support at least the following SSL/TLS protocols on the same profile and socket automagically (like Apache): SSL v2.3 (shame on you!) TLS v1 TLS v1.1 TLS v1.2 Comments Comment by Brian West [ 02/Oct/13 ] Tested with setting the method to sslv23 on the profile does indeed support them all. <16>:java -jar TestSSLServer.jar 192.168.1.112 5066 Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): SSLv3 TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (TLSv1.0: idem) (TLSv1.1: idem) TLSv1.2 TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ---------------------Server certificate(s): 48dec9e21d1036bc201f0b9c709fbc349616aac0: O=bkw.org, CN=pbx.bkw.org ---------------------Minimal encryption strength: strong encryption (96-bit or more) Achievable encryption strength: strong encryption (96-bit or more) BEAST status: vulnerable CRIME status: protected Comment by Brian West [ 02/Oct/13 ] Extend it. To specify protocols and possibly ciphers. Comment by Kristian Kielhofner [ 02/Oct/13 ] Awesome. What about only supporting > version and up automatically. Config=tlsv1: tlsv1 supported tlsv1.1 supported tlsv1.2 supported ssl v2.3 NOT supported ssl v3 NOT supported Comment by Travis Cross [ 05/Feb/14 ] Talked with Brian. The current state is clearly a bit awkward. The way forward is likely to be listing the versions you want to support individually. We're looking into this. Comment by Travis Cross [ 06/Feb/14 ] This is now in tree; please test. You can specify one or more protocols to support, e.g. <param name="tls-version" value="tlsv1,tlsv1.2"/> Generated at Tue Feb 09 17:29:48 EST 2016 using JIRA 6.4.10#64025sha1:5b8b74079161cd76a20ab66dda52747ee6701bd6.